An Online Privacy Toolkit

🗳Mar 13, 2012

In my joint talk for Newcastle Skeptics in the Pub, we argued that data is a commodity. Your personal information should be treat as such. There may be times where you consent to services accessing your information, however there are other times in which you don’t. Instead, your data is taken unless you opt-out, or secretly uploaded to a server without “unambiguous” consent.

This blog post serves as a utility belt; a toolkit of web browser extensions and mobile phone applications I find useful to use in order to ensure I can remain in control of as much of my information as I can.

Search Engines

DuckDuckGo is an alternate search engine that has been gaining traction in the last year or so. It is completely anonymous, in that it does not track or log your searches, it is encrypted as standard, and does not filter your results according to your worldview. In comparison to Google, DuckDuckGo is not quite there yet, although I use it as my day-to-day search engine and rarely have to revert to Google. The !bang synatx is amazing, too!

Behavioural Tracking

AdBlock Plus is a browser extension originally developed for Firefox, but also available on Chrome. This extension will stop ads from being displayed in web pages, and also from phoning home and tracking data. AdBlock can itself be customised with extensions. Adversity and Antisocial provide some extra filters to stop some additional social-related tracking cookies.

I also have Ghostery installed, which does very much the same thing as AdBlock Plus, but is a lot more transparent. Its options menu also makes unblocking items possible with relative ease. Ghostery is fairly robust and works on Firefox, Chrome, Opera, Safari (including Safari iOS!) and Internet Explorer. It’s worth it.

There are some other alternatives out there that I haven’t tried, namely the Do Not Track Plus extension, which works in a similar manner to the above extensions. Furthermore, there is an experiment into embedding opt-out to web tracking as part of the underlying HTTP protocol, by specifying a “Do Not Track” header. The linked site specifies how to enable this for each browser, although not everyone is willing to support this yet. Hopefully, that will change.

Surprisingly, an effective way to stop a lot of tracking is to simply log out of a service after using it. This is not just closing the tab, but actually logging out. When you’re logged in, even if the tab is closed, any tracking cookies on your machine from that service can identify your browsing habits to your user account.

If you’d like to read about the general principles behind web tracking, I have found this visualisation tool to be remarkably effective.

Social Networking

Part of the issue that I have with social networking is that the privacy policies are constantly changing. Keeping on top of the changes is difficult, especially as the trend for default settings is to push more of your data into the public sphere. I’ve found that Lifehacker offer the best, always-up-to-date guides for Facebook and Google+. Bookmark and check back every month. My rule of thumb is to assume the default privacy settings are crap, and therefore I make a point to tighten them up as soon as I sign up to a service.

Mobile Phone Privacy

The permission systems on mobile phone operating systems are wildly different. Android provides an “opt-in” mechanism, where applications have to declare they want to access certain functions on your device, such as accessing the Internet or viewing your contact lists. This information is provided to the user at the time of installation, and can be viewed at any time from the application settings menu. Apple, on the other hand, prefer this to be hidden from the user and ask users to put faith in Apple’s rather draconian and opaque approval system to weed out any bad eggs. That is not always the case.

LBE Privacy Guard

If you have a rooted Android handset (it’s quite easy to do and I recommend taking the time to do so purely for this), then I strongly advise installing LBE Privacy Guard. This runs as an always-on service, and allows you to revoke permissions for an application either once and for all, or whenever the app tries to access a feature. For example, I have LBE Privacy Guard set to always reject access to my contact list for the likes of Facebook and Twitter, but I allow LBE to prompt me when Google Maps requires access to my GPS.

Security

Last but certainly not least, I’d like to mention that maintaining good security is essential in order to remain in control of your information. Not only should you have a good, strong, password, you should only use this for one login. Having many passwords for many services makes stealing your identity extremely difficult, but it also makes your life more difficult as you have to remember the damn things. Well, you don’t. Services like LastPass (which works on literally everything) keeps your passwords secure and handles logging in for you. It only requires one master password, and synchronises everything across multiple devices.

Do you connect to the Internet using a wireless connection? If you do, make sure the wireless router is encrypted. Nowadays, most open networks are at pubs and coffee shops. They actually have an extra layer of protection behind them known as a VPN, which requires log in details. However, for the standard out-of-the-box router, these services are not available. Take it as a given that if your home wireless router is unencrypted, someone is stealing your internet. You can be held liable for their actions. It seems as if some basic encryption is enabled by standard on wireless routers now, but if yours is open you can look at this guide to get things encrypted.

There was a media uproar over the discovery of the Firesheep extension. This displayed any logged-in users for the most popular online services, and, at the click of a button, lets you log in as them. This only works on completely unencrypted networks and is totally illegal, but the reason for the controversy was that the tool made the process so user-friendly! I’ve never discovered the use of Firesheep in the wild, but the Blacksheep extension will notify you if someone is using Firesheep on the network you’re connected to.

You can encrypt web traffic. This is used for online payments so your credit card information cannot be stolen, but is also being enabled for more and more websites as computing costs come down. Most webmail services (such as Gmail) use HTTPS by default. Likewise, logged-in Twitter users get the benefit of security. Plus, it is possible to enable HTTPS for many other services, such as Google and Facebook. The HTTPS Everywhere extension from the Electronic Frontier Foundation will take care of encrypting as much web traffic as it can. This extension is simply essential.

Finally, the Tor project will encrypt all of your web traffic. How this works is beyond the scope of this article, however the general principle is that it adds several layers of encryption to your web traffic, and your data packets perform less predictable hops around the intertubes. This technology has the capability to break through government-level filters, and as such is commonly used by journalists, human rights activists and protesters in less-than-friendly circumstances. Tor can take a bit of technical know-how to set up, however the Tor Browser Bundle is your easiest bet. If you need the same functionality on your mobile phone, get a rooted Android device and install Orbot.

Conclusion

Well, this blog post was longer than I expected, but the web is a dynamic place with multiple protocols, services and methods of access that to reliably provide you with a means of keeping oneself protected requires a fairly in-depth analysis. There’s still a lot more that can be said on this subject, namely how to truly remain anonymous online, but for the general users, the above should be sufficient.